Your patch is basically checking that http:// is followed by a word character; could you explain why this is the right thing to do? IMO, validation must be implemented correctly or not at all.

Regarding the patch, I think it would be much clearer to structure the code like this:

if middle.startswith('http://') or middle.startswith('https://'):
# do additional checks, and set url only if the checks pass
elif ... # unchanged

It's more readable than adding not middle.startswith('http') to every subsequent condition — since you only added it to the first one, I think ​http:////@foo.com will be misinterpreted as an email. (By the way, Trac happily turns that into an HTTP link).